pokiSEC: Privacy for LB-AR Apps

• pokiSEC is a privacy-preserving framework for LB-AR apps that uses geo-indistinguishability and the Planar Staircase Mechanism (PSM) to obfuscate user locations.
• It employs the TR-PSM approach to mitigate both per-location and trajectory-level attacks by reporting new locations only when displacement thresholds are exceeded.
• Empirical evaluations show that pokiSEC enhances quality of service with minimal runtime overhead while offering tunable privacy guarantees for high-frequency AR environments.

pokiSEC is a privacy-preserving client-side framework for location-based augmented reality (LB-AR) applications, particularly exemplified by Pokémon Go–style games. It leverages advanced stochastic mechanisms to protect user location data at both per-fix and trajectory scales while maintaining high quality of service (QoS) and negligible runtime overhead. pokiSEC introduces the Planar Staircase Mechanism (PSM) and Thresholded Reporting with PSM (TR-PSM), enforcing geo-indistinguishability and providing tunable privacy guarantees suitable for high-frequency, interactive AR environments (Seeam et al., 4 Aug 2025).

1. Privacy Threats and Adversarial Model

In LB-AR games, frequent GPS updates are streamed to the server (and implicitly to any eavesdropper), exposing users to two major categories of privacy threats:

• Per-location adversary: Observes each obfuscated location fix $z_t$ and employs Bayesian inference to estimate the true location $x_t$.
• Trajectory-level adversary: Extracts and correlates the sequence $\{z_1,\ldots,z_T\}$ to reconstruct user movement paths, exploiting temporal dependencies for trace inference.

pokiSEC's dual-mechanism architecture is designed to mitigate both per-location and sequential linkage attacks by maximizing posterior uncertainty subject to precise privacy budgets.

2. Formal Privacy Guarantees

pokiSEC adopts formal definitions grounded in geo-indistinguishability:

Geo-Indistinguishability (per-location):

A location mechanism $\mathcal{M}: \mathbb{R}^2 \to \mathbb{R}^2$ satisfies $\epsilon$-geo-indistinguishability if for any locations $x$, $x'$, and any measurable set $S$,

$$\Pr[\mathcal{M}(x)\in S] \le e^{\epsilon d(x, x')} \Pr[\mathcal{M}(x')\in S]$$

where $d(\cdot, \cdot)$ is Euclidean distance.

Trace-level Geo-Indistinguishability:

For a session budget $\epsilon_T$, a streaming mechanism $\mathcal{M}$ satisfies $\epsilon_T$-GeoInd if, for any traces $\mathbf{x}, \mathbf{x}' \in (\mathbb{R}^2)^T$,

$$\Pr[\mathbf{z} = \mathcal{M}(\mathbf{x})] \le e^{\epsilon_T d_\infty(\mathbf{x},\mathbf{x}')} \Pr[\mathbf{z} = \mathcal{M}(\mathbf{x}')]$$

with $$d_\infty(\mathbf{x}, \mathbf{x}') = \max_t d(x_t, x'_t)$$.

Sequential composition is used, so the total session budget accumulates with each reported location.

3. Mechanism Design: PSM and TR-PSM

Planar Staircase Mechanism (PSM)

PSM achieves $\epsilon$-geo-indistinguishability per-fix by drawing noise from a staircase-shaped probability density, effectively concentrating perturbations closer to zero than traditional Laplacian noise. For $r \in ((i-1)\Delta, i\Delta]$,

$$f_r(r) = \frac{(1-e^{-\epsilon})e^{-(i-1)\epsilon}}{\Delta}$$

$\theta$ is sampled uniformly on $[0,2\pi)$, yielding the noisy location

$z = x + r(\cos\theta, \sin\theta)$

Expected error approximates $$\left(\frac{1}{1-e^{-\epsilon}} - \frac{1}{2}\right)\Delta$$.

Algorithmic Summary:

1. Uniform sample $u \in [0,1]$.
2. Find $i$ such that cumulative sum $$\sum_{j=1}^i (1-e^{-\epsilon})e^{-(j-1)\epsilon} \ge u$$.
3. Compute $r$ and sample $\theta$; output $z$.

Thresholded Reporting with PSM (TR-PSM)

TR-PSM increases trace-level privacy by reporting a new noisy location only when the displacement from the last released value $z_{\mathrm{ref}}$ exceeds a private threshold $\tilde\delta = \delta + \eta$, where $\eta$ is sampled from the PSM. For steps $t$:

• If $\|x_t - z_{\mathrm{ref}}\| < \tilde\delta$, reuse $z_t = z_{\mathrm{ref}}$.
• If exceeded, release $z_t = \text{PSM}(x_t)$ and update budget by $\epsilon$.

Session privacy tightens via many-to-one output mappings, raising inference error for adversaries performing trajectory reconstruction.

4. Theoretical Analysis

• PSM satisfies $\epsilon$-GeoInd isometrically (proof by bounding PDF ratios across bins).
• TR-PSM session privacy is $\epsilon_T = (k+2)\epsilon$, for $k$ threshold crossings.
• QoS analysis: PSM mean error is approximately $50\%$ of Planar Laplace error for small $\epsilon$.

Bayes risk for trajectory reconstruction under TR-PSM is up to $1.8\times$ that of baseline, indicating robustness against sequential inference.

5. Empirical Evaluation

Dataset Coverage

• Geolife: 8 m median step, 2 s intervals
• T-Drive: 49 m median step, 181 s intervals
• GeoTrace: Pokémon Go–style trajectories, multimodal, 127 km

Utility and Privacy Benchmarks

Mechanism	Mean Dist. Error (m)	Max Dist. (m)
PLM	19.99	173.34
PSM	10.05	159.46

TR-PSM yields Bayes risk $1.2$–$1.8\times$ higher than PLM/PSM for $\epsilon=0.1$.

QoS in AR Context

Mechanism	Dense (ε=0.1)	Sparse (ε=0.1)
PLM	28 %	46 %
PSM	42 %	60 %
TR-PSM	38 %	55 %

QoS improvement reaches $50\%$ for object catchability; accumulated loss decreases 30–57% over baseline.

Runtime Overhead

Device	PLM (ms)	PSM (ms)	TR-PSM (ms)
Galaxy A04	0.556	0.559	0.964
Pixel 6a	0.114	0.112	0.152
Galaxy S22	0.054	0.055	0.069

Total client–server pipeline cost is $<0.2\%$ of typical AR location update latency ($<1$ ms).

6. Client Integration and Tuning

Integration requires:

1. Hook onLocationChanged events to capture $(\mathit{lat}, \mathit{lon})$.
2. Choose $\epsilon$ (tradeoff: 0.1 high privacy, 0.2–0.5 higher QoS), $\Delta$ (set $\Delta = 1$ m), and $\delta$ (5–10 m threshold).
3. Initialize TR-PSM: sample noisy threshold.
4. Report locations per TR-PSM logic; send only obfuscated $z_t$ in server payload.

Recommended session budget: $\epsilon_T = (k + 2)\epsilon$ with $k \approx 20$ for a typical game session.

7. Significance and Applicability

pokiSEC operationalizes geo-indistinguishability for LB-AR at scale with demonstrable QoS gains and minimal latency. Its dual mechanisms allow practitioners to calibrate privacy/QoS for game mechanics and regulatory demands. Its seamless drop-in applicability and rigorous empirical validation mark it as a reference realization of client-side privacy in high-frequency AR environments (Seeam et al., 4 Aug 2025).